Dividing Authorization Between a Control Plane and a Data Plane for Sharing Database Data

3. The system of claim 2, wherein prior to the receipt of the request to obtain the metadata, the control plane performed a policy lookup to authorize creation of the database as an external database at the consumer database engine.

4. The system of claim 1, wherein the database service is a data warehouse service offered as part of a provider network, wherein the producer database engine is associated with a first account of the provider network, and wherein the consumer is associated with a second account of the provider network.

6. The method of claim 5, wherein performing the request received via the interface of the control plane of the database service to confirm the authorization of the database to be shared with the consumer, comprises creating a policy at an access management service to authorize the database service to provide access to the database on behalf of the consumer.

8. The method of claim 7, wherein prior to receiving the request to obtain the metadata, the control plane performed a policy lookup to authorize creation of the database as an external database or schema at the consumer database engine.

9. The method of claim 6, further comprising removing, by the control plane, the policy at the access management service as part of performing a request to de-authorize the consumer to access the database.

10. The method of claim 6, further comprising providing, by the control plane, the policy obtained from the access management service in response to a request to view the policy that authorizes the database service to provide access to the database on behalf of the consumer.

12. The method of claim 5, wherein performing the request from the producer database engine for the database in the database service to propose authorization of the database to be shared with the consumer comprises creating a datashare record in database permission data.

13. The method of claim 12, wherein performing the request received via the interface of the control plane to associate the consumer database engine in the data plane with the consumer to provide the consumer database engine with the authorization to access the database comprises evaluating the datashare record to determine that permission is granted to the consumer before making the association with the consumer database engine.

15. The one or more non-transitory, computer-readable storage media of claim 14, wherein, in performing the request received via the interface of the control plane of the database service to confirm the authorization of the database to be shared with the consumer, the program instructions cause the control plane to implement creating a policy at an access management service to authorize the database service to provide access to the datashare on behalf of the consumer.

17. The one or more non-transitory, computer-readable storage media of claim 14, wherein prior to receiving the request to obtain the metadata, the control plane performed a policy lookup to authorize creation of the database as an external database or schema at the consumer database engine.

18. The one or more non-transitory, computer-readable storage media of claim 14, storing further instructions that when executed on or across the one or more computing devices, cause the control plane to further implement returning the database as part of a list of databases shared with the consumer engine in response to a request for the list of databases shared with the consumer engine received from the consumer engine.

20. The one or more non-transitory, computer-readable storage media of claim 14, wherein the database service is a data warehouse service offered as part of a provider network, wherein the producer database engine is associated with a first account of the provider network, and wherein the consumer is associated with a second account of the provider network.